Using mschap authentication without EAP
Thibault Le Meur
Thibault.LeMeur at supelec.fr
Fri Jul 21 12:59:00 CEST 2006
> Well, after some changes in OpenLDAP config, this is the result:
So your first issue was openldap related...
> Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: bind as
> cn=Manager,dc=xxxx,dc=it/PASSWORD to 192.168.1.221:389
> Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: waiting for bind result ...
> Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Bind was successful
Bind as manager is ok...
> Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing search in
> ou=utenti,dc=xxxx,dc=it, with filter (uid=misterc)
> Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: checking if remote access for
> misterc is allowed by userPassword
> Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Added password
> {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= in check items
> Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for check items in
> directory...
> Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding radiusAuthType as
> Auth-Type, value LDAP & op=21
> Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding userPassword as
> User-Password, value {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= & op=21
> Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for reply items in
> directory...
> Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: user misterc authorized to use
> remote access
Great rlm_ldap has retreived everything needed.
> Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group authorize (returns
> ok) for request 0
Now it's time to run the authenticate module
> Fri Jul 21 11:15:51 2006 : Debug: rad_check_password: Found Auth-Type
> LDAP
> Fri Jul 21 11:15:51 2006 : Debug: auth: type "LDAP"
> Fri Jul 21 11:15:51 2006 : Debug: Processing the authenticate section of
> radiusd.conf
Ldap module will be used (that is to say a bind with the user's
credential will be attempted, provided that the request contains the
necessary data.
> Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group LDAP for request 0
> Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling pap
> (rlm_pap) for request 0
> Fri Jul 21 11:15:51 2006 : Auth: rlm_pap: Attribute "Password" is required
> for authentication. Cannot use "CHAP-Password".
Well, it seems that your radius client is trying CHAP and not PAP. You
wrote in a previous mail that the request was:
rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217
User-Name = "misterc"
CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e
CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986
NAS-IP-Address = 0.0.0.0
Service-Type = Login-User
Framed-IP-Address = 192.168.182.2
Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
Called-Station-Id = "AA-AA-AA-AA-DD-AA"
NAS-Identifier = "nas01"
Acct-Session-Id = "44bfd15d00000000"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Message-Authenticator = 0xf61479bee3c987c66cca254dcfa39c0a
WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff"
That means that your client is trying MS-CHAP, and MS-CHAP can't be
used with something else than NT-Hash passwords or cleartext passwords
in the authorize backend (in your case LDAP).
Thibault
More information about the Freeradius-Users
mailing list